ruby: fix CVE-2025-27220

In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. Reference: https://security-tracker.debian.org/tracker/CVE-2025-27220 Upstream-patch: https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6 (From OE-Core rev: 8c31f8e142894f103409ee10deccc22fdeea897c) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-03-27 10:57:44 +0000
committer: Steve Sakoman <steve@sakoman.com> 2025-04-01 09:08:42 -0700
commit: ba85fa8c930a5b134af153f0a86a80b48046c6c1 (patch)
tree: ba65003ab3d1686ecac9f0452a62b8de5c6ea0dc /meta/recipes-devtools/ruby
parent: f82d945d504b82f64c3a715a199e65858aa23479 (diff)
download: poky-ba85fa8c930a5b134af153f0a86a80b48046c6c1.tar.gz
2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
new file mode 100644
index 0000000000..f2f8bc7f76
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
@@ -0,0 +1,78 @@
+From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 15:53:31 +0900
+Subject: [PATCH] Escape/unescape unclosed tags as well
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+CVE: CVE-2025-27220
+Upstream-Status: Backport [https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/cgi/util.rb           |  4 ++--
+ test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
+index 4986e54..5f12eae 100644
+--- a/lib/cgi/util.rb
+++ b/lib/cgi/util.rb
+@@ -184,7 +184,7 @@ module CGI::Util
+   def escapeElement(string, *elements)
+     elements = elements[0] if elements[0].kind_of?(Array)
+     unless elements.empty?
+-      string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
+      string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do
+         CGI.escapeHTML($&)
+       end
+     else
+@@ -204,7 +204,7 @@ module CGI::Util
+   def unescapeElement(string, *elements)
+     elements = elements[0] if elements[0].kind_of?(Array)
+     unless elements.empty?
+-      string.gsub(/&lt;\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?&gt;/i) do
+      string.gsub(/&lt;\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:&gt;)?/im) do
+         unescapeHTML($&)
+       end
+     else
+diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
+index b0612fc..bff77f7 100644
+--- a/test/cgi/test_cgi_util.rb
+++ b/test/cgi/test_cgi_util.rb
+@@ -269,6 +269,14 @@ class CGIUtilTest < Test::Unit::TestCase
+     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
+     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
+     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
+
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
+
+    assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', "A", "IMG"))
+    assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', ["A", "IMG"]))
+   end
+ 
+ 
+@@ -277,6 +285,16 @@ class CGIUtilTest < Test::Unit::TestCase
+     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
+     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
+     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
+
+    assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+    assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+    assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+    assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+
+    assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
+    assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
+    assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
+    assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
+   end
+ end
+ 
+-- 
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
index 4354107a85..c91c51657f 100644
--- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
           file://0006-Make-gemspecs-reproducible.patch \
           file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
           file://CVE-2025-27219.patch \
+           file://CVE-2025-27220.patch \
           "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
author	Divya Chellam <divya.chellam@windriver.com>	2025-03-27 10:57:44 +0000
committer	Steve Sakoman <steve@sakoman.com>	2025-04-01 09:08:42 -0700
commit	ba85fa8c930a5b134af153f0a86a80b48046c6c1 (patch)
tree	ba65003ab3d1686ecac9f0452a62b8de5c6ea0dc /meta/recipes-devtools/ruby
parent	f82d945d504b82f64c3a715a199e65858aa23479 (diff)
download	poky-ba85fa8c930a5b134af153f0a86a80b48046c6c1.tar.gz

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch new file mode 100644 index 0000000000..f2f8bc7f76 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
@@ -0,0 +1,78 @@
		1	From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001
		2	From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
		3	Date: Fri, 21 Feb 2025 15:53:31 +0900
		4	Subject: [PATCH] Escape/unescape unclosed tags as well
		5
		6	Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
		7
		8	CVE: CVE-2025-27220
		9
		10	Upstream-Status: Backport [https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6]
		11
		12	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		13	---
		14	lib/cgi/util.rb \| 4 ++--
		15	test/cgi/test_cgi_util.rb \| 18 ++++++++++++++++++
		16	2 files changed, 20 insertions(+), 2 deletions(-)
		17
		18	diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
		19	index 4986e54..5f12eae 100644
		20	--- a/lib/cgi/util.rb
		21	+++ b/lib/cgi/util.rb
		22	@@ -184,7 +184,7 @@ module CGI::Util
		23	def escapeElement(string, *elements)
		24	elements = elements[0] if elements[0].kind_of?(Array)
		25	unless elements.empty?
		26	- string.gsub(/<\/?(?:#{elements.join("\|")})(?!\w)(?:.\|\n)*?>/i) do
		27	+ string.gsub(/<\/?(?:#{elements.join("\|")})\b[^<>]*+>?/im) do
		28	CGI.escapeHTML($&)
		29	end
		30	else
		31	@@ -204,7 +204,7 @@ module CGI::Util
		32	def unescapeElement(string, *elements)
		33	elements = elements[0] if elements[0].kind_of?(Array)
		34	unless elements.empty?
		35	- string.gsub(/<\/?(?:#{elements.join("\|")})(?!\w)(?:.\|\n)*?>/i) do
		36	+ string.gsub(/<\/?(?:#{elements.join("\|")})\b(?>[^&]+\|&(?![gl]t;)\w+;)*(?:>)?/im) do
		37	unescapeHTML($&)
		38	end
		39	else
		40	diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
		41	index b0612fc..bff77f7 100644
		42	--- a/test/cgi/test_cgi_util.rb
		43	+++ b/test/cgi/test_cgi_util.rb
		44	@@ -269,6 +269,14 @@ class CGIUtilTest < Test::Unit::TestCase
		45	assert_equal("<BR><A HREF="url"></A>", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
		46	assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
		47	assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
		48	+
		49	+ assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
		50	+ assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
		51	+ assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
		52	+ assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
		53	+
		54	+ assert_equal("<A <A ", escapeElement('<A <A ', "A", "IMG"))
		55	+ assert_equal("<A <A ", escapeElement('<A <A ', ["A", "IMG"]))
		56	end
		57
		58
		59	@@ -277,6 +285,16 @@ class CGIUtilTest < Test::Unit::TestCase
		60	assert_equal('<BR><A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
		61	assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
		62	assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
		63	+
		64	+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
		65	+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
		66	+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
		67	+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
		68	+
		69	+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
		70	+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
		71	+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
		72	+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
		73	end
		74	end
		75
		76	--
		77	2.40.0
		78


diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.5.bb index 4354107a85..c91c51657f 100644 --- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb +++ b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
27	file://0006-Make-gemspecs-reproducible.patch \	27	file://0006-Make-gemspecs-reproducible.patch \
28	file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \	28	file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
29	file://CVE-2025-27219.patch \	29	file://CVE-2025-27219.patch \
		30	file://CVE-2025-27220.patch \
30	"	31	"
31	UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"	32	UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
32		33